If we encrypt a message twice with symmetric key $k_1$ first and then $k_2$ like $E_{k2}\{E_{k1}\{m\}\}$ , ideally we should decrypt with $k_2$ first and then $k_1$ but is it possible to decrypt with $k_1$ and then with $k_2$ ? Using any of the AES Modes preferably ?

You can do it with CTR or OFB. But depending on which intermediate steps an attacker can observe, it's not secure. You need to describe your model, at which points an attacker observes the data clearly. Else you'll end up with a scheme that works but isn't secure.
–
CodesInChaosOct 16 '13 at 11:41

1

Search for commutative encryption. There are several related questions on stackoverflow, but you can't trust their answers for security.
–
CodesInChaosOct 16 '13 at 11:44

1 Answer
1

What you are asking appears to be 'is AES commutative'?
The short answer to which is no: encrypting with AES with key 1 then key 2 will not (generally) give the same output as encrypting with key 2 then key 1, which is what would be required for naive implementation.

However, there are modes in which AES can be used which would be commutative.
For example, if you run AES in counter mode, then after encrypting with key1 and key2 through counter mode, we would have that the final cipher text $c_i$ was:
$$c_i = m_i \oplus E_{k_1}(i) \oplus E_{k_2}(i)$$

Edit: Just to point out, if one was to use counter mode in this way, you would have to either make sure the counters are initialised at different values, or that the keys are different - otherwise your 'encryption' would become
$$c_i = m_i \oplus E_{k_1}(i) \oplus E_{k_1}(i) = m_i$$
Which is probably not a good thing...

It's important to note that xor isn't secure if the attacker can observe the intermediate values $E_{k_1}(i)$ and $E_{k_2}(i)$, so e.g. using xor with a three-pass-protocol is completely broken.
–
CodesInChaosOct 16 '13 at 16:08